Author: Mike Mj Johnson

This series is intended to be a introductory look into Kubernetes. If your organization is interested in custom training around your infrastructure, please reach out to us at BoxBoat. We are both a Docker and Linux Foundation training partner and can provide onsite corporate training on Docker and Kubernetes.
Welcome to the first post in the BoxBoat Kubernetes Training Fundamentals course. We designed a blog and video series to get you familiar with the core tenants of Kubernetes and Docker container orchestration.

With the popularity of Kubernetes, there is always potential for security vulnerabilities to be uncovered. And well, this one is a doozy.
What is it? The Kubernetes team just released a fix for CVE-2018-1002105 which allowed for anyone with API access (privileged or not) to use a specifically crafted request to obtain privilege escalation and take control of your Kubernetes cluster. Ouch.
From the CVE:
“With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.